From: Casey Schaufler <casey@schaufler-ca.com>
To: Pavel Machek <pavel@ucw.cz>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Trond Myklebust <trond.myklebust@fys.uio.no>,
Jan Kara <jack@suse.cz>, "J. Bruce Fields" <bfields@fieldses.org>,
"Serge E. Hallyn" <serue@us.ibm.com>,
kernel list <linux-kernel@vger.kernel.org>,
linux-fsdevel@vger.kernel.org, viro@zeniv.linux.org.uk,
jamie@shareable.org
Subject: Re: symlinks with permissions
Date: Wed, 28 Oct 2009 09:34:26 -0700 [thread overview]
Message-ID: <4AE87292.20802@schaufler-ca.com> (raw)
In-Reply-To: <20091028081653.GA18290@elf.ucw.cz>
Pavel Machek wrote:
> On Tue 2009-10-27 21:15:54, Eric W. Biederman wrote:
>
>> Pavel Machek <pavel@ucw.cz> writes:
>>
>>
>>> On Mon 2009-10-26 13:57:49, Trond Myklebust wrote:
>>>
>>>> On Mon, 2009-10-26 at 18:46 +0100, Jan Kara wrote:
>>>>
>>>>> That's what I'd think as well but it does not as I've just learned and
>>>>> tested :) proc_pid_follow_link actually directly gives a dentry of the
>>>>> target file without checking permissions on the way.
>>>>>
>>> It is weider. That symlink even has permissions. Those are not
>>> checked, either.
>>>
>>>
>>>> I seem to remember that is deliberate, the point being that a symlink
>>>> in /proc/*/fd/ may contain a path that refers to a private namespace.
>>>>
>>> Well, it is unexpected and mild security hole.
>>>
>> /proc/<pid>/fd is only viewable by the owner of the process or by
>> someone with CAP_DAC_OVERRIDE. So there appears to be no security
>> hole exploitable by people who don't have the file open.
>>
>
> Please see bugtraq discussion at
> http://seclists.org/bugtraq/2009/Oct/179 .
>
> (In short, you get read-only fd, and you can upgrade it to read-write
> fd. Yes, you are the owner of the process, but you are not owner of
> the file the fd refers to.)
>
>
>>> Part of the problem is that even if you have read-only
>>> filedescriptor, you can upgrade it to read-write, even if path is
>>> inaccessible to you.
>>>
>>> So if someone passes you read-only filedescriptor, you can still write
>>> to it.
>>>
>> Openly if you actually have permission to open the file again. The actual
>> permissions on the file should not be ignored.
>>
>
> The actual permissions of the file are not ignored, but permissions of
> the containing directory _are_. If there's 666 file in 700 directory,
> you can reopen it read-write, in violation of directory's 700
> permissions.
> Pavel
>
There is no security violation here. Consider the case where
the file is unlinked after it is opened. What directory permissions
would matter in that case? Or what about the case where the file
has a link count of 2, say /a/foo and /b/ish are hard links. If
/a is 777 and /b is 700 what would your position be regarding
the file descriptor obtained by opening /b/ish? The path name is
an ethereal convenience and once traversed has no bearing on the
security state of the object. You need to change the semantics
of Linux (and Unix) file systems for your concern to make any
sense at all.
next prev parent reply other threads:[~2009-10-28 16:34 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-25 6:29 symlinks with permissions Pavel Machek
2009-10-26 16:31 ` Jan Kara
2009-10-26 16:57 ` Serge E. Hallyn
2009-10-26 17:36 ` J. Bruce Fields
2009-10-26 17:46 ` Jan Kara
2009-10-26 17:57 ` Trond Myklebust
2009-10-25 9:36 ` Pavel Machek
2009-10-26 18:22 ` Trond Myklebust
2009-10-27 8:11 ` Pavel Machek
2009-10-27 10:27 ` Jamie Lokier
2009-10-26 18:35 ` J. Bruce Fields
2009-10-28 4:15 ` Eric W. Biederman
2009-10-28 8:16 ` Pavel Machek
2009-10-28 11:25 ` Eric W. Biederman
2009-10-28 21:03 ` Pavel Machek
2009-10-29 2:20 ` Eric W. Biederman
2009-10-29 11:03 ` Pavel Machek
2009-10-29 16:23 ` Eric W. Biederman
2009-10-30 18:35 ` Pavel Machek
2009-10-30 20:37 ` Nick Bowler
2009-10-30 23:03 ` Eric W. Biederman
2009-10-31 2:30 ` Jamie Lokier
2009-10-28 16:34 ` Casey Schaufler [this message]
2009-10-28 19:44 ` Jamie Lokier
2009-10-28 21:06 ` Pavel Machek
2009-10-28 22:48 ` David Wagner
2009-10-29 4:13 ` Casey Schaufler
2009-10-29 7:53 ` David Wagner
2009-10-30 14:07 ` Pavel Machek
2009-10-31 4:09 ` Casey Schaufler
2009-11-01 9:23 ` David Wagner
2009-11-01 17:43 ` Casey Schaufler
2009-11-01 20:39 ` David Wagner
2009-11-01 22:05 ` Casey Schaufler
2009-10-26 18:02 ` J. Bruce Fields
2009-10-26 17:57 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AE87292.20802@schaufler-ca.com \
--to=casey@schaufler-ca.com \
--cc=bfields@fieldses.org \
--cc=ebiederm@xmission.com \
--cc=jack@suse.cz \
--cc=jamie@shareable.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pavel@ucw.cz \
--cc=serue@us.ibm.com \
--cc=trond.myklebust@fys.uio.no \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox